The typical symptom is missing or not updated files after you install a Small
or Minor Update to your application (Major Upgrades are not affected). In the
installer log file you'll notice that some features have been switched to
"advertised" state and instead of being installed locally. The actual cause is
noted in the SELMGR error message in the log similar to this:

SELMGR: ComponentId '{-GUID-}' is registered to feature '-Feature-Name-',
but is not present in the Component table. Removal of components from a
feature is not supported!

This happens if your setup includes a merge module like
Microsoft_VC80_CRT_x86.msm and you rebuilt your setup package after installing
security updates
971090 and
973673 for
Visual Studio 2005 SP1 or
971092 and
973675 for
Visual Studio 2008 SP1. These security updates install newer versions of merge
modules.

Apparently a component that existed in the original version of the merge
module has been removed in the updated msm. Removing a component is a violation
of Windows Installer's rules for Small and Minor Updates.

Affected Merge Modules and GUIDs

Visual Studio 2005 SP1

I examined to merge modules installed by Visual Studio 2005 SP1 and updated
by by security updates
971090 and
973673. I
found that all of these merge modules are affected by this problem, i.e. they
have components removed:

Visual Studio 2008 SP1

I also examined to merge modules installed by Visual Studio 2008 SP1 and
updated by by security updates
971092 and
973675. I
found that all of these merge modules are affected by this problem, i.e. they
have components removed:

Workarounds

This means that if your setup includes any of these merge modules, the
security update prevents you from shipping Small or Minor Updates.The workaround
I'd recommend is using a Major Upgrade (i.e. change the ProductCode and add an
entry in the Upgrade table) to update your application.

Gauravb's blog lists some other workarounds which I don't think are feasible:

Use the VC Redistributable Installer EXE package to install the runtime
instead of the merge modules. - Good advice for new packages or Major
Upgrades, but you can't remove the merge modules from your package in a
Small or Minor Update.

Use the old version of the merge modules - This means you would
knowingly be installing a vulnerable file on your customer's computer.

Another potential workaround would be to add dummy components to your msi
setup with the same GUIDs as the components that were removed from the merge
modules. But that could cause conflicts with other msi files that include the
original version of the module.

About the Author

Stefan Krueger is working as freelance setup consultant and is running
the
InstallSite.org web
site, a place where setup developers share resources and information among
peers. Stefan has been recognized by Microsoft as an
MVP (Most
Valuable Professional) for Windows Installer.